Readings: Cloud Detective Controls

Below you will find reading materials and additional resources that support today’s topic and the upcoming lecture.

Review the Submission Instructions for guidance on completing and submitting this assignment.

Reading

What is Amazon GuardDuty?

Videos

AWS re:Inforce 2019: Threat Detection on AWS: An Introduction to Amazon GuardDuty (FND216)

What are some of the IoCs that GuardDuty can detect?

Escalation of privileges, use of exposed credentials, communication with malicious IP addresses, domains, presence of malware on Amazon EC2 instances and container workloads, and/or discovery of unusual patterns of login events on your database.

What are some of the data sources which GuardDuty can use?

Data sources include AWS CloudTrail management events, AWS CloudTrail event logs, VPC flow logs, and DNS logs.

How does GuardDuty use access behavior to spot potential malicious activity?

By using threat intelligence feeds such as lists of malicious IP addresses and domains.